Subscribe to our Threatpost Today newsletter

Join thousands of people who receive the latest breaking cybersecurity news every day.

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

*

*

I agree to my personal data being stored and used to receive the newsletter

*

I agree to accept information and occasional commercial offers from Threatpost partners

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

WireX Variant Capable of UDP Flood Attacks

The WireX botnet presented defenders with many superlatives: the largest mobile botnet ever; hundreds of mobile apps spreading application-layer DDoS malware; unprecedented cooperation between technology companies—even competitors—to halt some of its activities.

And now a companion piece to WireX has emerged that retreats right back to traditional DDoS activity, concentrating on UDP flood attacks through Android devices.

Researchers at F5 Labs said the bot sample they’ve analyzed creates 50 simultaneous threads, each capable of sending 10 million UDP packets, each packet weighing in at 512 bytes. The severity of these attacks depends on the infected device hardware, according to F5 security research manager Maxim Zavodchik.

“The hardcoded 10M packets per each thread doesn’t say how many packets per second can be sent,” Zavodchik said.

F5 said this variant shares the same command and control server domain and some identical code to the WireX malware disclosed last week. The first public version of WireX was spread through hundreds of mobile apps—300 of which have been removed from Google Play—that were sending an overwhelming number of requests over HTTPS to websites in an attempt to crash those webservers.

“Currently it seems that the attackers are in a ‘testing’ phase, trying to infect as many devices as they can,” Zavodchik said. “It seems like there are many different variants in the wild. [The] same C&C server serves different variants and there is currently no ‘version upgrade’ functionality in the malware. All versions are participating in the same attack.”

F5 published a report Tuesday that explained how the UDP flood bot browses a command and control URL (u[.]axclick[.]store) to receive a response with the target domain and port details. They also saw a feature served by the C&C URL that causes the malware to open the default Android browser 10 times to browse the target URL. This is similar behavior to click-fraud malware; last week’s report on WireX said the malware shared characteristics with the Android Clicker click-fraud malware. Researchers from a coalition of companies that disclosed the WireX operation last week said the attackers behind this malware likely moved toward DDoS attacks in the recent past.

F5 backed up its claims this malware isn’t up to par or maturity with other DDoS malware.

“The attack execution routine is a bit different from most DDOS malware families. To maintain a continuous flood of packets and better orchestration, usually there are two concurrent executions—one to poll the C&C server for commands and another to execute the packet-sending loop, which executes until it is instructed to stop. Some malware get an attack duration from the C&C server as an attack parameter. The WireX malware doesn’t seem to support this. The attack loops seem to have a constant number of requests/packets sent, and the attack might not stop until it polls the C&C again. In the malware variants we have analyzed, the C&C server is polled in 60 second intervals (and on application launch and network connectivity change events). During a single GET flood loop, it sends 100 requests.”

Zavodchik said UDP flood attacks are easier and faster to pull off because they don’t require a TCP handshake the way HTTP flood attacks do.

“It also allows source IP address spoofing, though this malware doesn’t support it,” he said.

WireX made news last week when a number of tech companies including Google, Oracle, Cloudflare, Akamai and others said this was the largest mobile botnet ever seen. WireX was targeting primarily businesses in the hospitality, pornography and gambling industries with some attacks leaving behind a ransom note demanding an unnamed payment.

Google removed the offending apps from its marketplace and was in the process last week of removing the apps from Android devices through its Play Protect service. Law enforcement had been informed of the activity, including the domains serving malware and commands, but as of last week those sites were still up and running.

Some data shared by the collaborating companies indicates that at a minimum, 70,000 devices from more than 100 countries are infected. Akamai reportedly saw spikes of 120,000 unique IPs involved. The fluctuation in numbers could be due to the fact that as mobile devices move from one cell tower to the next, new IPs are generated each time.

Authors

Threatpost

InfoSec Insider Post

InfoSec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.

Sponsored

Sponsored Post

Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.